Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 18:31
Static task
static1
Behavioral task
behavioral1
Sample
invoice.js
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
invoice.js
Resource
win10-en-20211014
General
-
Target
invoice.js
-
Size
23KB
-
MD5
dabe050bb51ca8ac34498a176ac8227a
-
SHA1
b07d715fb5daac27e9d55c570ed3707d3858124c
-
SHA256
2e05ea8c7d2121d1af64ae0a03a8cd42aca8a17be7775678c2d214f47d8dbfc1
-
SHA512
cbb58f3f962659b91e7ffc72e3ee1d01fd31da0a9c28653d947a6285cfe5da0ceec978c00c7ed667f5bccf476cccf0d25e26dc1e673e06a41d44c7976a67cf6a
Malware Config
Signatures
-
Blocklisted process makes network request 35 IoCs
Processes:
wscript.exewscript.exeflow pid process 12 536 wscript.exe 13 412 wscript.exe 20 412 wscript.exe 21 536 wscript.exe 26 412 wscript.exe 27 536 wscript.exe 30 412 wscript.exe 31 536 wscript.exe 34 412 wscript.exe 37 536 wscript.exe 38 412 wscript.exe 39 536 wscript.exe 40 412 wscript.exe 41 536 wscript.exe 42 412 wscript.exe 43 536 wscript.exe 45 412 wscript.exe 46 536 wscript.exe 47 412 wscript.exe 48 536 wscript.exe 49 412 wscript.exe 50 536 wscript.exe 51 412 wscript.exe 52 536 wscript.exe 53 412 wscript.exe 54 536 wscript.exe 55 412 wscript.exe 56 536 wscript.exe 57 412 wscript.exe 58 536 wscript.exe 59 412 wscript.exe 60 536 wscript.exe 61 412 wscript.exe 62 536 wscript.exe 63 536 wscript.exe -
Drops startup file 3 IoCs
Processes:
wscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ztRjTeZckf.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\invoice.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ztRjTeZckf.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\ztRjTeZckf.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\3W2CQPM6PM = "\"C:\\Users\\Admin\\AppData\\Roaming\\invoice.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 412 wrote to memory of 536 412 wscript.exe wscript.exe PID 412 wrote to memory of 536 412 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\invoice.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ztRjTeZckf.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ztRjTeZckf.jsMD5
2697845d2c7ec6c8544bf5479d8b5d7f
SHA193bb2256e2c2402d0cc121e3c2d385fa87c43e9d
SHA2560a779aefb4dcf1ebf73544e0a59cbf6584490e7954d2dd82772b5ef9b6a446da
SHA512d1d4fdfd9c7b2e0284b977bdd33956c8d49c840b7dc0e618ef8f8dcc67974f2e78d7652db0ea25ad7379b3d1f33274559d648ae2b371ddeedc4a96f98bb91cec
-
memory/536-115-0x0000000000000000-mapping.dmp